Legal

Data Processing Agreement

Last updated: 10 July 2026

This Data Processing Agreement (the "DPA") sets out how Stravax Group LLC processes personal data on behalf of Stravax Engage customers. It forms part of the Terms of Service and applies whenever we act as your processor. You do not need to sign it: by accepting the Terms of Service, you accept this DPA.

1. Parties, scope, and incorporation

This DPA is between Stravax Group LLC, a company registered in the United Arab Emirates (licence 2537844.01), with a registered address at Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE ("Stravax", "we", "us", the processor), and the business that holds the Stravax Engage account ("Customer", "you", the controller).

This DPA is incorporated into, and forms part of, the Terms of Service by reference. It governs the processing of personal data that you route through Stravax Engage, where you are the controller and we act as your processor. No separate signature is required: by accepting the Terms of Service, or by creating an account or using the platform, you accept this DPA on behalf of the business you represent. Where this DPA and the Terms of Service conflict on the processing of personal data, this DPA prevails. A negotiated written agreement signed by both parties prevails over this DPA to the extent of any conflict.

2. Definitions

3. Roles and scope of processing

For personal data you route through Stravax Engage, you are the controller and Stravax is the processor. The subject matter of the processing is the operation of the Stravax Engage platform for you. The duration of the processing is the term of your account, plus the limited retention and export periods described in section 11.

ItemDetail
Nature and purposeProcessing to deliver the Service on your instructions: routing WhatsApp messages, storing your team inbox, running broadcasts, automation, and Shopify abandoned-cart recovery, maintaining lead and pipeline records in the CRM, and syncing the conversion events you configure to the ad accounts you connect.
Types of personal dataYour contacts' WhatsApp numbers and profile names; the content and metadata of the messages you send and receive; lead and pipeline records in the CRM; and the conversion events you choose to sync to ad platforms.
Categories of data subjectsYour contacts and customers, your prospects and leads, and the members of your team you add as users of your organisation.

4. Customer instructions

We process personal data only on your documented instructions, including as set out in this DPA, the Terms of Service, and your configuration and use of the platform. We do not use your data for our own purposes and do not sell it. If we believe an instruction breaches applicable data protection law, we will inform you. If we are required by law to process personal data other than on your instructions, we will inform you of that requirement before processing, unless the law prohibits it.

You warrant that you have a lawful basis and, where required, valid opt-in and consent to message your contacts through WhatsApp and to route their personal data through the Service, and that your instructions comply with applicable law.

5. Confidentiality of personnel

We ensure that personnel authorised to process personal data under this DPA are bound by an appropriate duty of confidentiality and process the data only as needed to deliver the Service.

6. Security measures

We take reasonable technical and organisational measures to protect personal data. These include:

No system is perfectly secure, but we maintain measures appropriate to the risk. We may update these measures over time, provided the level of protection is not materially reduced.

7. Subprocessors

You give us general written authorisation to engage subprocessors to process personal data in order to deliver the Service. Each subprocessor processes data only as needed and under its own terms, and we take reasonable steps to ensure each protects data appropriately. Our current subprocessors are:

ProviderPurpose
Meta / WhatsAppThe WhatsApp Business Platform that sends and receives your messages.
CloudflareHosting, database, message and media storage, and platform security.
ResendTransactional and notification email.
ShopifyStore and order data for abandoned-cart recovery, where you connect a store.
StripePayment processing for paid plans.
Google and Meta (Ads)Receiving the conversion events you choose to sync to ad accounts you connect.

We will give you notice before adding or replacing a subprocessor, so that you have a reasonable opportunity to object on reasonable data protection grounds. If you object and we cannot reasonably accommodate your objection, you may stop using the affected feature or terminate your account as your remedy.

8. Data subject rights

Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, so far as reasonably possible, in responding to requests from data subjects to exercise their rights under applicable law, including access, correction, deletion, objection, and restriction. If a data subject contacts us directly about data we process on your behalf, we will refer them to you, as you are the controller of that data.

9. Personal data breach notification

If we become aware of a personal data breach affecting the personal data we process on your behalf, we will notify you without undue delay. Our notice will describe the nature of the breach and the information reasonably available to us, so that you can meet your own notification obligations, and we will take reasonable steps to mitigate its effects.

10. International transfers

We process personal data in the United Arab Emirates. Some of our subprocessors, including Meta and Cloudflare, operate global infrastructure, so data may be processed outside the UAE. Where that happens, we rely on those providers' own safeguards for such transfers.

11. Deletion and return on termination

Message content and media are retained while your account is active and are deleted or made available for export within a reasonable period (typically 30 days) after termination. After that period, we may delete the data, unless we are required to retain it by applicable law. Account and billing data are retained as described in our Privacy Policy.

12. Audit and information rights

On reasonable written request, and no more than once a year unless required by a regulator or following a personal data breach, we will make available information reasonably necessary to demonstrate our compliance with this DPA. Any audit is subject to reasonable confidentiality and security conditions and must not disrupt the Service or the data of our other customers.

13. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service.

14. Governing law

This DPA is governed by the laws of the United Arab Emirates, including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and any dispute is subject to the exclusive jurisdiction of the competent courts of the United Arab Emirates.

15. Contact

Questions or data protection requests under this DPA: [email protected], Stravax Group LLC, Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE.

This DPA covers processing on the Stravax Engage platform. Custom or managed engagements may be governed by an additional written agreement, which prevails over this DPA to the extent of any conflict.